Full Disclosure mailing list archives
Re: Audit: don't only focus on heartbleed issue
From: Paul McMillan <paul () mcmillan ws>
Date: Wed, 16 Apr 2014 18:38:48 +0000
Also remember to actually try the exploit, even if you think your 0.9.8 installation isn't vulnerable. We found several devices which were running a safe version in the audit paperwork, but actually running a vulnerable version in practice. -Paul On Wed, Apr 16, 2014 at 6:03 PM, Ron Bowes <ron () skullsecurity net> wrote:
Are there actually any real-world attack scenarios for BEAST, CRIME, or Lucky-thirteen? Heartbleed has been used in actual legitimate attacks, but those earlier attacks all seem pretty tame in comparison. Worth fixing, of course, but they don't seem *as* critical to me. Ron On Wed, Apr 16, 2014 at 3:10 AM, Shawn <citypw () gmail com> wrote:After an exciting and crazy week. People are getting calm and plan or already start to doing audit on their system. But there are something you might miss. The older version of OpenSSL( like 0.9.8) might not affected by heartbleed issue but it doesn't mean you are secure. Don't forget the old OpenSSL are still vulnerable to BEAST( 2011), CRIME( 2012), Lucky-thirteen( 2013)[1]. I do believe Lucky-thirteen is far more dangerous than heartbleed, we just don't know. Once you start the audit, plz upgrade the OpenSSL to the latest version. If you are using 0.9.8, plz upgrade to 0.9.8y, which is not vulnerable to Lucky-13 issue. Fix heartbleed issue for website is much easier than the networking devices( Firewall, UTM, SSL/IPSEC VPN, etc) and the 3rd-party software. This definitely gonna impacting for long term. [1] http://www.isg.rhul.ac.uk/tls/ -- GNU powered it... GPL protect it... God blessing it... regards Shawn _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Audit: don't only focus on heartbleed issue Shawn (Apr 16)
- Re: Audit: don't only focus on heartbleed issue Ron Bowes (Apr 16)
- Re: Audit: don't only focus on heartbleed issue Paul McMillan (Apr 16)
- Re: Audit: don't only focus on heartbleed issue antisnatchor (Apr 16)
- Re: Audit: don't only focus on heartbleed issue Reindl Harald (Apr 16)
- Re: Audit: don't only focus on heartbleed issue Tim (Apr 16)
- Re: Audit: don't only focus on heartbleed issue Reindl Harald (Apr 16)
- Re: Audit: don't only focus on heartbleed issue Stephane Bortzmeyer (Apr 17)
- Re: Audit: don't only focus on heartbleed issue Ron Bowes (Apr 16)
- Re: Audit: don't only focus on heartbleed issue Hanno Böck (Apr 16)